Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0909
Moodle security updates
16 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: moodle
Publisher: moodle
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20283 CVE-2021-20282 CVE-2021-20281
CVE-2021-20280 CVE-2021-20279 CVE-2020-11023
CVE-2020-11022
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=419651&parent=1691260
https://moodle.org/mod/forum/discuss.php?d=419650&parent=1691259
https://moodle.org/mod/forum/discuss.php?d=419655&parent=1691274
https://moodle.org/mod/forum/discuss.php?d=419654&parent=1691273
https://moodle.org/mod/forum/discuss.php?d=419653&parent=1691269
https://moodle.org/mod/forum/discuss.php?d=419652&parent=1691268
Comment: This bulletin contains six (6) moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-21-0007: Stored XSS and blind SSRF possible via feedback answer text
Text-based feedback answers required additional sanitizing to prevent stored
XSS and blind SSRF risks.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Holme and Rekter0
CVE identifier: CVE-2021-20280
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70767
Tracker issue: MDL-70767 Stored XSS and blind SSRF possible via feedback
answer text
- --------------------------------------------------------------------------------
MSA-21-0006: Stored XSS via ID number user profile field
The ID number user profile field required additional sanitizing to prevent a
stored XSS risk.
Severity/Risk: Serious
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Magyar-Hunor Tamas
Workaround: Disable the ID number field by unchecking it in Site admin >
Users > User policies > Show user identity,
until the patch has been applied.
CVE identifier: CVE-2021-20279
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65552
Tracker issue: MDL-65552 Stored XSS via ID number user profile field
- --------------------------------------------------------------------------------
MSA-21-0011: JQuery versions below 3.5.0 contain some potential vulnerabilities
(upstream)
The JQuery version used by Moodle required upgrading to 3.5.1 to patch some
published potential vulnerabilities.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Mike Henry
CVE identifiers: CVE-2020-11022 and CVE-2020-11023
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69680
Tracker issue: MDL-69680 JQuery versions below 3.5.0 contains some potential
vulnerabilities
- --------------------------------------------------------------------------------
MSA-21-0010: Fetching a user's enrolled courses via web services did not check
profile access in each course
The web service responsible for fetching other users' enrolled courses did not
validate that the requesting user had permission to view that information in
each course.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Paul Holden
CVE identifier: CVE-2021-20283
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70822
Tracker issue: MDL-70822 Fetching a user's enrolled courses via web services
did not check profile access in each course
- --------------------------------------------------------------------------------
MSA-21-0009: Bypass email verification secret when confirming account
registration
When creating a user account, it was possible to verify the account without
having access to the verification email link/secret.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Bandjes
CVE identifier: CVE-2021-20282
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70668
Tracker issue: MDL-70668 Bypass email verification secret when confirming
account registration
- --------------------------------------------------------------------------------
MSA-21-0008: User full name disclosure within online users block
It was possible for some users without permission to view other users' full
names to do so via the online users block.
Severity/Risk: Minor
Versions affected: 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and
earlier unsupported versions
Versions fixed: 3.10.2, 3.9.5, 3.8.8 and 3.5.17
Reported by: Ankit Agarwal
Workaround: Hide the online users block (via Site administration > Plugins
> Blocks > Manage blocks) until the patch
has been applied.
CVE identifier: CVE-2021-20281
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59293
Tracker issue: MDL-59293 User full name disclosure within online users block
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYE/4l+NLKJtyKPYoAQgUThAAmHfz1D2l0DdKx5BlDJSpecFHrwiUxV3T
v6jA3O1OC3MOkw+iIDGYGqX/B53Gl2ZKWFBt5X6fexRn+BpM+i6ElP7zoD4s3oqk
AnGVvyTy7Do+koBKRcvfXtC5MDxBekyFiKdeTKSlEgMiuq3ivyANQ03XGb3mNTIz
CdvxGc5+Kmv2aJuejTJndolf1UIuVaXVfafjVbSGIudaVgsoK/gXK5MD+4tSDBws
5/swFiIqOOp4brZmX6YHnJTzF9bBZRJsa8szDdYH+yl3tSNyCQ67/0HFrUr9UVkp
kyh2qTs9znhSHFxWM0eAzNRzOTYr7uLqtUSz1TXeRa5rqvWe4uvFfYFxYm4Y56pM
n6fqAXJkV5Jgi9eBlgCcNQQpKUs0Jefcd2SMCfQCTvdNiSESFnajnrn2tJCYdMlN
Xane6cVzM3BN0ta5g0VdLzEBR7zXsB9KOf0d+wbwLu4sNeXbcavMAQuH8GJJ+HtD
w07Hy9TuHaYZWa6tF6gdILxkHZ+Czm2JcLwEXEaT+hWcBbc3rT1xZL9HMCtZPESZ
8f5hgcnsDCdcAqmVyCga7WcpiPAEBZ22uLgrzdIY+TydpgCIfweFhPdqy6e7/cSD
TlgraBW3f/Yf5JnuKM0KEwHyndWmW4VyHyB+M0c2x9ToEAGYYszczdjtv0kEcuHO
BAM4NG1DfvM=
=M1eW
-----END PGP SIGNATURE-----